Security & Privacy Policies

SPH Information Security Policy

Security Resources

A. University Information

University information may be broadly classified into one of three categories:

  1. Information that is generated publicly or is intended to be made public.
  2. Information that is gathered or generated for the University’s internal use.
  3. Confidential information pertaining to the University’s individual students, faculty and staff.

The information that employees generate or maintain in the course of their duties belongs not to them individually but to the University, which entrusts it to their custody. The custody of University information is the responsibility both of the custodian and his or her supervisors. Managers should adopt, announce and enforce safeguards and procedures to protect the confidentiality of such information. Everyone must protect the confidentiality of University information that is not intended to be made public. University staff may not use non-public University information for personal ends, nor obstruct its use for proper University purposes.

Particular care must be taken by supervisors and custodians with personally identifiable confidential information, such as a student’s financial aid, grades and academic evaluations; employee’s salaries and performance evaluations; and family data and medical records. Such information must be accorded the strictest safeguards, so that access is given only to those whose duties require it. In addition, disclosure of information pertaining to students is subject to the restrictions of the Family Educational Rights and Privacy Act (FERPA), a federal law.

Rules about the retention of University information can be found at the web site of the Records Management Office.